Information About Cisco MDS 9000 Switch Management and DCNM-SAN

The Cisco DCNM-SAN is a set of network management tools that supports Secure Simple Network Management Protocol version 3 (SNMPv3). It provides a graphical user interface (GUI) that displays real-time views of your network fabrics, and lets you manage the configuration of Cisco MDS 9000 Family devices and third-party switches. The Cisco DCNM-SAN provides an alternative to the command-line interface (CLI) for most switch configuration commands.

Cisco MDS 9000 Switch Management

The Cisco MDS 9000 Family of switches can be accessed and configured in many different ways and supports standard management protocols. Table 1-1 lists the management protocols that DCNM-SAN supports to access, monitor, and configure the Cisco MDS 9000 Family of switches.

Table 1-1 Supported Management Protocols

Management Protocol

Purpose

Telnet/SSH

Provides remote access to the CLI for a Cisco MDS 9000 switch.

FTP/SFTP/TFTP, SCP

Copies configuration and software images between devices.

SNMPv1, v2c, and v3

Includes over 80 distinct Management Information Bases (MIBs). Cisco MDS 9000 Family switches support SNMP version 1, 2, and 3 and RMON V1 and V2. RMON provides advanced alarm and event management, including setting thresholds and sending notifications based on changes in device or network behavior.

By default, the Cisco DCNM-SAN communicates with Cisco MDS 9000 Family switches using SNMPv3, which provides secure authentication using encrypted user names and passwords. SNMPv3 also provides the option to encrypt all management traffic.

HTTP/HTTPS

Includes HTTP and HTTPS for web browsers to communicate with DCNM-SAN Web Services and for the distribution and installation of the Cisco DCNM-SAN software. It is not used for communication between the Cisco DCNM-SAN Server and Cisco MDS 9000 Family switches.

XML/CIM over HTTP/HTTPS

Includes CIM server support for designing storage area network management applications to run on Cisco SAN-OS and NX-OS.

ANSI T11 FC-GS-3

Provides Fibre Channel-Generic Services (FC-GS-3) in the defining management servers in the Fabric Configuration Server (FCS). DCNM-SAN uses the information provided by FCS on top of the information contained in the Name Server database and in the Fibre Channel Shortest Path First (FSPF) topology database to build a detailed topology view and collect information for all the devices building the fabric.

Storage Management Solutions Architecture

Management services required for the storage environment can be divided into five layers, with the bottom layer being closest to the physical storage network equipment, and the top layer managing the interface between applications and storage resources.

Of these five layers of storage network management, Cisco DCNM-SAN provides tools for device (element) management and fabric management. In general, the Device Manager is most useful for device management (a single switch), while DCNM-SAN is more efficient for performing fabric management operations involving multiple switches.

Tools for upper-layer management tasks can be provided by Cisco or by third-party storage and network management applications. The following summarizes the goals and function of each layer of storage network management:

Device management provides tools to configure and manage a device within a system or a fabric. You use device management tools to perform tasks on one device at a time, such as initial device configuration, setting and monitoring thresholds, and managing device system images or firmware.

Resource management provides tools for managing resources such as fabric bandwidth, connected paths, disks, I/O operations per second (IOPS), CPU, and memory. You can use DCNM-SAN to perform some of these tasks.

Application management provides tools for managing the overall system consisting of devices, fabric, resources, and data from the application. Application management integrates all these components with the applications that use the storage network. Application management capabilities are provided by third-party tools.

In-Band Management and Out-of-Band Management

Cisco DCNM-SAN requires an out-of-band (Ethernet) connection to at least one Cisco MDS 9000 Family switch. You need either mgmt0 or IP over Fibre Channel (IPFC) to manage the fabric.

mgmt0

The out-of-band management connection is a 10/100 Mbps Ethernet interface on the supervisor module, labeled mgmt0. The mgmt0 interface can be connected to a management network to access the switch through IP over Ethernet. You must connect to at least one Cisco MDS 9000 Family switch in the fabric through its Ethernet management port. You can then use this connection to manage the other switches using in-band (Fibre Channel) connectivity. Otherwise, you need to connect the mgmt0 port on each switch to your Ethernet network.

Each supervisor module has its own Ethernet connection; however, the two Ethernet connections in a redundant supervisor system operate in active or standby mode. The active supervisor module also hosts the active mgmt0 connection. When a failover event occurs to the standby supervisor module, the IP address and media access control (MAC) address of the active Ethernet connection are moved to the standby Ethernet connection.

IPFC

You can also manage switches on a Fibre Channel network using an in-band IP connection. The Cisco MDS 9000 Family supports RFC 2625 IP over Fibre Channel, which defines an encapsulation method to transport IP over a Fibre Channel network.

IPFC encapsulates IP packets into Fibre Channel frames so that management information can cross the Fibre Channel network without requiring a dedicated Ethernet connection to each switch. This feature allows you to build a completely in-band management solution.

Cisco DCNM-SAN

The Cisco DCNM-SAN provides an alternative to the command-line interface (CLI) for most switch configuration commands. For information on using the CLI to configure a Cisco MDS 9000 Family switch, refer to the Cisco MDS 9000 Family NX-OS Fundamentsls Configuration Guide or the Cisco MDS 9020 Switch Configuration Guide and Cisco MDS 9000 Family Command Reference Guide.

DCNM-SAN Server

The DCNM-SAN Server component must be started before running DCNM-SAN. On a Windows PC, the DCNM-SAN Server is installed as a service. This service can then be administered using the Windows Services in the Control Panel. DCNM-SAN Server is responsible for discovery of the physical and logical fabric, and for listening for SNMP traps, syslog messages, and Performance Manager threshold events.

DCNM-SAN Client

The DCNM-SAN Client component displays a map of your network fabrics, including Cisco MDS 9000 Family switches, third-party switches, hosts, and storage devices. The DCNM-SAN Client provides multiple menus for accessing the features of the DCNM-SAN Server.

Device Manager

Starting from Cisco MDS NX-OS Release 5.2(1), DCNM-SAN will automatically install Device Manager. The Device Manager provides two views of a single switch:

Device View displays a graphic representation of the switch configuration and provides access to statistics and configuration information.

Summary View displays a summary of xE ports (Inter-Switch Links), Fx ports (fabric ports), and Nx ports (attached hosts and storage) on the switch, as well as Fibre Channel and IP neighbor devices. Summary or detailed statistics can be charted, printed, or saved to a file in tab-delimited format.

Performance Manager

Performance Manager presents detailed traffic analysis by capturing data with SNMP. This data is compiled into various graphs and charts that can be viewed with any web browser.

DCNM Web Client

The DCNM Web Client allows operators to monitor and obtain reports for MDS events, performance, and inventory from a remote location using a web browser.

Initial Setup Routine

The first time you access a switch in the Cisco MDS 9000 Family, it runs a setup program that prompts you for the IP address and other configuration information necessary for the switch to communicate over the supervisor module Ethernet interface. This information is required to configure and manage the switch. The IP address can only be configured from the CLI. All Cisco MDS 9000 Family switches have the network administrator as a default user (admin). You cannot change the default user at any time. You must explicitly configure a strong password for any switch in the Cisco MDS 9000 Family. The setup scenario differs based on the subnet to which you are adding the new switch:

In-band management—This feature provides IP over Fibre Channel (IPFC) to manage the switches. The in-band management feature is transparent to the network management system (NMS).

The first time that you access a switch in the Cisco MDS 9000 Family using the CLI, it runs a setup program that prompts you for the IP address and other configuration information necessary for the switch to communicate over the supervisor module Ethernet interface. This information is required to configure and manage the switch.

Note The IP address can only be configured from the CLI. When you power up the switch for the first time, assign the IP address. After you perform this step, the Cisco MDS 9000 Family DCNM-SAN can reach the switch through the management port.

Preparing to Configure the Switch

Before you configure a switch in the Cisco MDS 9000 Family for the first time, you need the following information:

Administrator password, including:

– Creating a password for the administrator (required).

– Creating an additional login account and password (optional).

IP address for the switch management interface—The management interface can be an out-of-band Ethernet interface or an in-band Fibre Channel interface (recommended).

SSH service on the switch—To enable this optional service, select the type of SSH key (dsa/rsa/rsa1) and number of key bits (768 to 2048).

DNS IP address (optional).

Default domain name (optional).

NTP server IP address (optional).

SNMP community string (optional).

Switch name—This is your switch prompt (optional).

Note Be sure to configure the IP route, the IP default network address, and the IP default gateway address to enable SNMP access. If IP routing is enabled, the switch uses the IP route and the default network IP address. If IP routing is disabled, the switch uses the default gateway IP address.

Note You should verify that the DCNM-SAN Server hostname entry exists on the DNS server, unless the DCNM-SAN Server is configured to bind to a specific interface during installation.

Default Login

All Cisco MDS 9000 Family switches have the network administrator as a default user (admin). You cannot change the default user at any time (see the Cisco DCNM for SAN Security Configuration Guide).

You have an option to enforce secure password for any switch in the Cisco MDS 9000 Family. If a password is trivial (short, easy-to-decipher), your password configuration is rejected. Be sure to configure a secure password (see the Cisco DCNM for SAN Security Configuration Guide). If you configure and subsequently forget this new password, you have the option to recover this password (see the Cisco DCNM for SAN Security Configuration Guide).

Setup Options

The setup scenario differs based on the subnet to which you are adding the new switch. You must configure a Cisco MDS 9000 Family switch with an IP address to enable management connections from outside of the switch.

Note Some concepts such as out-of-band management and in-band management are briefly explained here. These concepts are explained in more detail in subsequent chapters.

In-band management—This feature provides IP over Fibre Channel (IPFC) to manage the switches. The in-band management feature is transparent to the network management system (NMS). Instead of conventional Ethernet physical media, switches in the Cisco MDS 9000 Family use IPFC as the transport mechanism. see Cisco DCNM for SAN IP Services Configuration Guide.

Figure 1-1 Management Access to Switches

Assigning Setup Information

This section describes how to initially configure the switch for both out-of-band and in-band management.

Note Press Ctrl-C at any prompt to skip the remaining configuration options and proceed with what is configured until that point. Entering a new password for the administrator is a requirement and cannot be skipped.

Tip If you do not wish to answer a previously configured question, or if you wish to skip answers to any questions, press Enter. If a default answer is not available (for example, switch name), the switch uses what was previously configured and skips to the next question.

Configuring Out-of-Band Management

Note You can configure both in-band and out-of-band configuration together by entering Yes in both Step 11c and Step 11d in the following procedure.

To configure the switch for first time out-of-band access, follow these steps:

Step 1 Power on the switch. Switches in the Cisco MDS 9000 Family boot automatically.

Do you want to enforce secure password standard (Yes/No)?

Step 2 Enter Yes to enforce secure password.

a. Enter the administrator password

Enter the password for admin: 2008asdf*lkjh17

b. Confirm the administrator password.

Confirm the password for admin: 2008asdf*lkjh17

Tip If a password is trivial (short, easy to decipher), your password configuration is rejected. Be sure to configure a secure password as shown in the sample configuration. Passwords are case-sensitive. You must explicitly configure a password that meets the requirements listed in the Cisco DCNM for SAN Security Configuration Guide.

Step 3 Enter yes to enter the setup mode.

Note This setup utility will guide you through the basic configuration of the system. Setup configures only enough connectivity for management of the system.

Please register Cisco MDS 9000 Family devices promptly with your supplier. Failure to register may affect response times for initial service calls. MDS devices must be registered to receive entitled support services.Press Enter anytime you want to skip any dialog. Use ctrl-c at anytime to skip away remaining dialogs.Would you like to enter the basic configuration dialog (yes/no): yes

The setup utility guides you through the basic configuration process. Press Ctrl-C at any prompt to end the configuration process.

Step 4 Enter the new password for the administrator (admin is the default).

Enter the password for admin: admin

Step 5 Enter yes (no is the default) to create additional accounts.

Create another login account (yes/no) [n]: yes

While configuring your initial setup, you can create an additional user account (in the network-admin role) besides the administrator’s account. See the Cisco DCNM for SAN Security Configuration Guide for information on default roles and permissions.

Note User login IDs must contain non-numeric characters.

a. Enter the user login ID [administrator].

Enter the user login ID: user_name

b. Enter the user password.

Enter the password for user_name: user-password

c. Confirm the user password for

Confirm the password for user_name: user-password

Step 6 Enter yes (no is the default) to create an SNMPv3 account.

Configure read-only SNMP community string (yes/no) [n]: yes

a. Enter the user name (admin is the default).

SNMPv3 user name [admin]: admin

b. Enter the SNMPv3 password (minimum of eight characters). The default is admin123.

SNMPv3 user authentication password: admin_pass

Step 7 Enter yes (no is the default) to configure the read-only or read-write SNMP community string.

c.Enter yes (no is the default) to configure a static route (recommended).

Configure static route: (yes/no) [n]: yes

Enter the destination prefix.

Destination prefix: dest_prefix

Type the destination prefix mask.

Destination prefix mask: dest_mask

Type the next hop IP address.

Next hop ip address: next_hop_address

Note Be sure to configure the IP route, the default network IP address, and the default gateway IP address to enable SNMP access. If IP routing is enabled, the switch uses the IP route and the default network IP address. If IP routing is disabled, the switch uses the default gateway IP address.

d.Enter yes (no is the default) to configure the default network (recommended).

Step 21 Enter yes (no is the default) to disable a full zone set distribution (see the Cisco DCNM for SAN Fabric Configuration Guide). Disables the switch-wide default for the full zone set distribution feature.

Enable full zoneset distribution (yes/no) [n]: yes

You see the new configuration. Review and edit the configuration that you have just entered.

Step 22 Enter no (no is the default) if you are satisfied with the configuration.

Step 23 Enter yes (yes is default) to use and save this configuration:

Use this configuration and save it? (yes/no) [y]: yesCaution If you do not save the configuration at this point, none of your changes are updated the next time the switch is rebooted. Type
yes to save the new configuration. This ensures that the kickstart and system images are also automatically configured.

Configuring In-Band Management

The in-band management logical interface is VSAN 1. This management interface uses the Fibre Channel infrastructure to transport IP traffic. An interface for VSAN 1 is created on every switch in the fabric. Each switch should have its VSAN 1 interface configured with an IP address in the same subnetwork. A default route that points to the switch providing access to the IP network should be configured on every switch in the Fibre Channel fabric (see Cisco Fabric Manager Fabric Configuration Guide)

Note You can configure both in-band and out-of-band configuration together by entering Yes in both Step 9c and Step 9d in the following procedure.

To configure a switch for first time in-band access, follow these steps:

Step 1 Power on the switch. Switches in the Cisco MDS 9000 Family boot automatically.

Step 2 Enter the new password for the administrator.

Enter the password for admin: 2004asdf*lkjh18

Tip If a password is trivial (short, easy-to-decipher), your password configuration is rejected. Be sure to configure a strong password as shown in the sample configuration. Passwords are case-sensitive. You must explicitly configure a password that meets the requirements listed in the User Accounts section in Cisco DCNM for SAN Security Configuration Guide.

Step 3 Enter yes to enter the setup mode.

This setup utility will guide you through the basic configuration of the system. Setup configures only enough connectivity for management of the system.Please register Cisco MDS 9000 Family devices promptly with your supplier. Failure to register may affect response times for initial service calls. MDS devices must be registered to receive entitled support services.Press Enter incase you want to skip any dialog. Use ctrl-c at anytime to skip away remaining dialogs.Would you like to enter the basic configuration dialog (yes/no): yes

The setup utility guides you through the basic configuration process. Press Ctrl-C at any prompt to end the configuration process.

Step 4 Enter no (no is the default) if you do not wish to create additional accounts.

Create another login account (yes/no) [no]: no

Step 5 Configure the read-only or read-write SNMP community string.

a. Enter no (no is the default) to avoid configuring the read-only SNMP community string.

Configure read-only SNMP community string (yes/no) [n]: no

Step 6 Enter a name for the switch.

Note The switch name is limited to 32 alphanumeric characters. The default is switch.

Enter the switch name: switch_name

Step 7 Enter no (yes is the default) at the configuration prompt to configure out-of-band management.

Step 20 Enter yes (yes is default) to use and save this configuration.

Use this configuration and save it? (yes/no) [y]: yesCaution If you do not save the configuration at this point, none of your changes are updated the next time the switch is rebooted. Type
yes to save the new configuration. This ensures that the kickstart and system images are also automatically configured.

Using the setup Command

To make changes to the initial configuration at a later time, you can issue the setup command in EXEC mode.

switch# setup---- Basic System Configuration Dialog ----This setup utility will guide you through the basic configuration ofthe system. Setup configures only enough connectivity for managementof the system.*Note: setup always assumes a predefined defaults irrespectiveof the current system configuration when invoked from CLI.Press Enter incase you want to skip any dialog. Use ctrl-c at anytimeto skip away remaining dialogs.Would you like to enter the basic configuration dialog (yes/no): yes

The setup utility guides you through the basic configuration process.

Starting a Switch in the Cisco MDS 9000 Family

The following procedure is a review of the tasks you should have completed during hardware installation, including starting up the switch. These tasks must be completed before you can configure the switch.

Note You must use the CLI for initial switch start up.

Before you can configure a switch, follow these steps:

Step 1 Verify the following physical connections for the new Cisco MDS 9000 Family switch:

The console port is physically connected to a computer terminal (or terminal server).

The management 10/100 Ethernet port (mgmt0) is connected to an external hub, switch, or router.

Refer to the Cisco MDS 9000 Family Hardware Installation Guide (for the required product) for more information.

Tip Save the host ID information for future use (for example, to enable licensed features). The host ID information is provided in the Proof of Purchase document that accompanies the switch.

Step 2 Verify that the default console port parameters are identical to those of the computer terminal (or terminal server) attached to the switch console port:

9600 baud

8 data bits

1 stop bit

No parity

Step 3 Power on the switch. The switch boots automatically and the switch# prompt appears in your terminal window.

Accessing the Switch

After initial configuration, you can access the switch in one of the three ways:

Serial console access—You can use a serial port connection to access the CLI.

In-band IP (IPFC) access—You can use Telnet or SSH to access a switch in the Cisco MDS 9000 Family or use SNMP to connect to a Cisco MDS 9000 DCNM-SAN application.

Out-of-band (10/100BASE-T Ethernet) access—You can use Telnet or SSH to access a switch in the Cisco MDS 9000 Family or use SNMP to connect to a Cisco MDS 9000 DCNM-SAN application.

After initial configuration, you can access the switch in one of three ways (see Figure 1-2):

Serial console access—You can use a serial port connection to access the CLI.

In-band IP (IPFC) access—You can use Telnet or SSH to access a switch in the Cisco MDS 9000 Family or use Cisco MDS 9000 DCNM-SAN to access the switch.

Out-of-band (10/100BASE-T Ethernet) access—You can use Telnet or SSH to access a switch in the Cisco MDS 9000 Family or use Cisco MDS 9000 DCNM-SAN to access the switch.

Figure 1-2 Switch Access Options

Where Do You Go Next?

After reviewing the default configuration, you can change it or perform other configuration or management tasks. The initial setup can only be performed at the CLI. However, you can continue to configure other software features, or access the switch after initial configuration by using either the CLI or the Device Manager and DCNM-SAN applications.